Security Infrastructure : Meltdown & Spectre vulnerabilities

By the night of 3rd to 4th January 2018, Google’s Project Zero and multiple other computer security researchers publicly disclosed a group of major security vulnerabilities, codenamed as Meltdown and Spectre, issued under the following Common Vulnerabilities and Exposures IDs:

CVE-2017-5715 (branch target injection – Spectre)

CVE-2017-5753 (bounds check bypass – Spectre)

CVE-2017-5754 (rogue data cache load – Meltdown)

These are hardware vulnerabilities affecting all x86 and some ARM-based micro-processors, allowing rogue software processes to read any kernel memory, regardless of whether it should be able to do so. Malicious programs can potentially exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running processes, including private data and other business-critical documents.

These exploits have been highly mediatized as being applicable to almost every single personal computer, mobile device or Cloud infrastructure, regardless of its running operating systems. While the risk is a real, we strongly advise every single person to ensure that his personal devices are being updated to prevent such catastrophes to happen, even though no proof of actual exploit has been seen today, except from research labs.

That being said, ensuring our users data privacy, protection and security in the Cloud is one of our responsibilities and engagement. On the bright side, as to maximize security and performances, we have chosen years ago and by design, to only host Rainbow on dedicated hardware Cloud resources. None of our infrastructure is mutualized with other IaaS customers, hence nullifying any possible hardware resources hijacking, that could be done with other Cloud providers.

Meltdown and Spectre somehow can be considered as escalation privileges exploits, requiring malicious software to run on remote servers for being applied, which is highly unlikely due to the very nature of our servers, only allowing trusted programs to be run onto.

That being said, and to minimize all possible risks, we immediately updated all possible piece of our infrastructure. The Debian Security Team published a new Linux kernel update with KPTI support on the night of 4th of January and the whole fleet of Rainbow servers have been updated accordingly by the 5th of January. By the 9th of January we also updated all parts of our dedicated VMware ESX infrastructure.

Once again, while these flaws are potentially dangerous and exploitable, they’ve been around for almost 20 years from now and only been overly mediatized in the past few days. We remain confident in our solution and the security measures we’ve always had in place and we’ll keep on ensuring that your private data remain so.